The Top Three Things I Learned About Security Solutions at the 2019 RSA Conference
tldr; Despite being so much room for innovation there’s only a few obviously innovative products out there now mostly due to a lack of understanding what cybersecurity innovation is or what the problems are.
The security community is pretty split about what you get from attending the huge RSA security conference in San Francisco. The security industry is not.
While its detractors say it’s too big and too focused on vendors, the people who do go to RSAC say they go precisely because it’s very big and very focused on vendors making it a one-stop shop for seeing the trends.
Whether you’re for it or against it though, there’s definitely opportunities to learn new things. These are the top three things I learned:
Lesson 1. Innovation is dead.
I learned that there is no innovation in cybersecurity just like there’s no life in the universe.
In the words of author Douglas Adams, “There’s no life in the universe.” because in infinite space any fraction of that space with life in it is so small that it would mathematically, essentially appear to be zero. And that’s where we’re at in cybersecurity.
Based on research at the place I work, the non-profit research organization, ISECOM, we calculated how many unique, defensive, cybersecurity products can possibly exist. The result of this equation that takes into consideration all the variations of operational security, security controls, and communication channels is that there are a potential 1.03 x 10³⁶ unique solutions possible.
To put things in perspective, if the number of unique solutions were counted in meters, the result would reach way past the farthest known object in the universe at 10²⁶ meters away. Not as infinite as Adams says about the infinite universe but pretty damn big.
Now according to the ISECOM equation about one third of those solutions are not possible with today’s technology. Still, a lot of potential unique solutions. So what do we find at the world’s largest cybersecurity conference in terms of vendor innovation?
First, anything that has a whiff of real innovation is sequestered into another area specifically for innovative start-ups, far away from the main vendor floors that are trying to one-up each other with innovation claims. That’s where the Cryptomove showcase was as it is both a start-up and an improved implementation of a solid security practice, hence, innovative.
It’s a good idea from a PR perspective to separate out the new and innovative from the other vendors because it allows journalists a space to focus on individual stories in a less chaotic and noisy environment.
That doesn’t mean there isn’t anything innovative on the main show floors. There’s actually some pretty great new stuff coming from the more established vendors mostly because they have fine-tuned their existing products as far as they can go now really need to jump into new things. However, it won’t sound new to you. Which is why despite so much innovation it still seems like innovation is mostly dead.
Lesson 2. Most products have innovation.
I learned there’s a reason why innovation doesn’t always sound like innovation, especially in the security space. Because real innovation doesn’t sell easily. It has to sound like something you know works or else people won’t buy it. There’s just too much at stake to try real innovation. That’s why what we normally get pitched to us as “innovative” sounds like same old stuff despite running some fine futuristic stuff under the hood. That stuff could be a process, code, or even hardware. Yet you wouldn’t know it and they won’t tell you other than it’s “innovative” which tends to sound blander with each company that tells you that.
Take CryptoMove for example. From a security analysis viewpoint it’s innovative because it combines multiple communication channels with confidentiality and integrity controls. That means an attack needs to cross not just digital space but physical and wireless space to assemble all the parts together to decrypt it. Again, what might sound just like encryption babble to the average person tells a security professional that this is a product that overcomes the bruteforce cracking problem by forcing attackers to move at human speeds and physical distances which dramatically increases the time needed for cracking even the lousiest ROT13 kind of encryption. That’s innovative cybersecurity future-proofing.
However a company like that can’t go on the market as “future-proofing cryptography” because something like “new” cryptography is something security professionals are taught to be wary of. It’s one of those things that older is better as it means it’s been time tested and flaws worked out. There’s been so much snake-oil over the years selling bad cryptography and so many companies burned by it that it’s ingrained in us to take a step back when we hear the words “new” and “cryptography” side by side.
This leads to many product vendors hiding what’s really innovative or focusing only on marketing the parts of things that their customers are comfortable with being innovative like it being faster, smarter, or use more data sources. They may also tie the process or operations of the product to things people know and are familiar with. A firewall isn’t anything like an actual physical firewall but the imagery is enough to make it understood and sell. A computer virus wasn’t called a virus formally until Fred Cohen wrote an academic paper about them in 1987, a full 16 years after the first one, Creeper, appeared on Arpanet. And conversely, products that fought them started calling themselves AntiVirus despite Cohen proving mathematically that it’s impossible for any algorithm to ever be able to detect them all. Yet, it sold. Not because it worked but because of the name. It was familiar to something that people knew.
This is what I saw a lot of from vendors at the RSA conference. They were smart not to boast anything too new as to scare potential buyers away to the next booth. Therefore most of the innovation, whether incremental or grand, was kept under the blanket of words like “machine learning” and “behavioral analysis” to make it seem less risky.
Lesson 3. Some problems are innovative.
Sometimes the vendors wanted to scare us. Then I learned everything out there is risky. Every threat is newer and scarier than it was last year. And you need their product to mitigate that risk.
The reality is that it does get scarier every year and the threats do get more capable just as the defenses do. They do use the same technologies after all. However just as some cybersecurity products can show real innovation by leaping far ahead in this cat and mouse game, so can some of the threats. An IoT botnet is a terrible yet excellent example of that, turning many small, regional device vulnerabilities into something devastating on a worldwide scale.
It can be hard to find the wonder of innovation in threats and even harder to admire the ingenuity in them but you at least need to recognize their awesomeness. And I mean that in a powerfulness kind of way and not a “really cool” kind of way. These are the kinds of attacks you really couldn’t see coming. That’s important to understand or else you may not be aware of the dire need for real innovation in cybersecurity. Because really, without it, it will be something we’ll have to learn the hard way.
